CIOs more concerned than ever about social media and data loss

Survey finds security breaches due to social networking more pressing than ever

A new survey from email security firm Proofpoint finds more organisations are dealing with data loss and security breaches due to employee use of social media sites. Proofpoint polled 261 IT decision makers at organisations with more than 1000 employees. Respondents were asked about the frequency of data loss events in the past 12 months, as well as their concerns, priorities and policies related to email, the web, social media and other sources of data loss risk.

The survey found 20 percent of companies polled had investigated the exposure of confidential, sensitive or private information via a post to a social networking site. In many instances, the events have been severe enough to lead to job loss or disciplinary action, with seven percent of companies reporting termination of an employee for social networking policy violations. Another 20 percent disciplined an employee for not following social networking policy.

Social networking sites such as Facebook and LinkedIn were cited by 53 percent of respondents as a high concern when it comes to the risk of information leakage. However, not all companies are concerned enough to make the sites off limits. Only 53 percent explicitly prohibit the use of Facebook and 31 percent explicitly prohibit use of LinkedIn.

Microblogging service Twitter was mentioned by 17 percent of companies as a source of investigation due to the exposure of confidential, sensitive or private information. Additionally, 51 percent said they are highly concerned about the risk of information leakage on Twitter.

According to Craig Shumard, CSO with Cigna, the nation's fourth largest health services provider, social networks are viewed as both a tremendous benefit to employees and a security concern. But the risks they pose are not really new.

"People have had the ability to go out and express opinions on emails and blogs for some time. We spend a lot of time around training and awareness as far as ensuring people know what good behavior is on these kinds of forums," said Shumard. "Folks know they are not supposed to be speaking on behalf of Cigna or Cigna Corporation."

Shumard said he is not aware of any disciplinary action or termination that has resulted within his organisation that can be attributed to an employee's use, or misuse, of social media. But Cigna, which does allow employees to access social media sites using company computers and has since 2009, did a considerable amount of education and awareness beforehand and has explained expectations clearly to employees in its social media use policy.

"Employees are not supposed to be using these tools and disclosing information that would not be appropriate given the manner of what we do," he said. "And that they are supposed to look at those considerations on a personal basis, too. They are supposed to make sure they dont make comments that would be derogatory to Cigna or any of its customers or employees. It really does boil down to basic common sense to make people think, and think again, about what they are putting in these social networking sites."

Media sharing sites like YouTube and Vimeo also pose risks, according to the survey, which found 18 percent of companies investigated the exposure of sensitive information on one of the sites. Employees were terminated in 9 percent of the companies for media sharing/posting policy violations and 21 percent had disciplined an employee for such behaviour.